CVE-2026-59817
Received Received - Intake

Ghost CMS Donation Checkout Metadata Manipulation

Vulnerability report for CVE-2026-59817, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing money from a site or its members. This issue is fixed in version 6.44.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
tryghost ghost From 6.27.0 (inc) to 6.44.0 (exc)
tryghost ghost From 6.27.0 (inc) to 6.43.1 (inc)
tryghost ghost 6.44.0
ghost ghost to 6.44.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-472 The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59817 is a vulnerability in the Ghost Node.js content management system affecting versions from 6.27.0 to before 6.44.0. It allows an unauthenticated attacker to manipulate the public donation checkout flow by controlling donation checkout metadata. This manipulation enables the attacker to obtain full paid gift memberships by making only a minimal payment.

The vulnerability does not expose customer or member data, nor does it allow stealing money from the site or its members. The issue arises because the system trusted user-supplied metadata that should have been immutable, leading to authorization bypass through user-controlled keys.

The vulnerability was fixed in version 6.44.0 by implementing stricter controls that remove or normalize reserved metadata keys and prevent unauthorized overrides of Ghost's internal donation metadata.

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated attacker to obtain full paid gift memberships on your Ghost site by making only a minimal payment. This means attackers can exploit the donation checkout flow to gain memberships without paying the full amount.

However, the vulnerability does not compromise customer or member data, nor does it allow attackers to steal money from your site or its members.

The overall impact is a moderate integrity issue where unauthorized users can gain paid memberships improperly, potentially affecting your site's membership revenue and trust.

Detection Guidance

This vulnerability involves unauthorized manipulation of donation checkout metadata in Ghost CMS versions 6.27.0 to 6.43.1. Detection would involve monitoring for unusual or unauthorized creation of full paid gift memberships with minimal payments, especially via the public donation checkout flow.

Since the vulnerability exploits external control of assumed-immutable web parameters, detection could include inspecting HTTP requests to the donation checkout endpoint for suspicious metadata keys such as 'ghost_donation', 'ghost_gift', or 'ghostSignupContext' being supplied by unauthenticated users.

Specific commands are not provided in the resources, but general approaches could include:

  • Using network traffic capture tools (e.g., tcpdump, Wireshark) to monitor POST requests to the donation checkout API endpoint and analyze metadata payloads.
  • Using application logs to identify donation checkout sessions created with suspicious metadata or minimal payments resulting in full gift memberships.
  • Querying the Ghost database or API for recent gift memberships created with minimal payments or unusual metadata flags.

However, no explicit detection commands or scripts are provided in the available resources.

Mitigation Strategies

The primary immediate mitigation step is to upgrade Ghost CMS to version 6.44.0 or later, where the vulnerability is fixed.

If upgrading immediately is not possible, a temporary workaround is to disable the donations feature to prevent exploitation via the donation checkout flow.

This can be done by configuring the site settings or using Ghost-CLI or Docker to disable donations until the patch is applied.

The patch includes stricter controls that remove user-supplied reserved metadata keys, validate webhook events to reject conflicting donation or gift markers, and ensure Ghost's own metadata flags cannot be overridden.

Therefore, applying the update ensures these layered defenses are in place to prevent unauthorized gift membership creation.

Compliance Impact

The vulnerability in Ghost's donation checkout flow allowed unauthenticated attackers to obtain full paid gift memberships with minimal payment but did not expose customer or member data or steal money.

Since no customer or member data was exposed, and no financial theft occurred, the vulnerability does not directly compromise personal data confidentiality or integrity.

Therefore, this issue is unlikely to cause direct non-compliance with data protection regulations such as GDPR or HIPAA, which focus on protecting personal and sensitive data.

However, the ability to manipulate paid memberships without proper authorization could indirectly affect business processes or membership integrity, which organizations should consider in their compliance risk assessments.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59817. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart